SANS NewsBites

Zoom Security and Privacy; FBI Stops Malicious COVID-19 Websites; NSA and Australian ASD Advisory on Web Shell Malware

April 24, 2020  |  Volume XXII– Issue #33

Top of the News


2020-04-22

Zoom 5.0 Includes Security and Privacy Improvements

Zoom has released a new version of its teleconferencing software. New features in Zoom 5.0 include controlled data routing, and passwords on by default for all meetings; administrators can now establish password complexity requirements. Zoom is also implementing stronger encryption, which is expected to be enabled system-wide by the end of May. The newest version of Zoom will be rolled out to users over the next week.

Editor's Note

Zoom continues to live up to its promise to enhance security, but there is a predictable trajectory when IT platforms retroactively add security features. Security management capabilities tend to lag, providing limited visibility into and tracking of critical security policies/events. The Business version of Zoom has an admin dashboard that is mostly performance oriented and relies on exporting .CSV files for any deeper analysis - never a scalable approach. Third-party partner vendors can fill the gap, but the Zoom App Marketplace has a very limited choice of small vendors. Zoom may add more security management capabilities, but training will be required for admins and security analysts on how to properly configure and monitor security relevant features, how to integrate to SIEM, etc. Many will require direct vendor support until these capabilities mature. At the Enterprise pricing level of Zoom ($1999/month minimum) you get a dedicated "Customer Success Manager" which many may need to buy.

John Pescatore
John Pescatore

The update is not available yet; yes, I tried to update before reading that, too. The plan is to push out client updates next week. They are updating to AES 265 GCM encryption, and allowing your account admin to control meeting routing. They are also grouping the security settings together under a new security icon. The Zoom blog explains the new features: https://blog.zoom.us/wordpress/2020/04/22/zoom-hits-milestone-on-90-day-security-plan-releases-zoom-5-0/: Zoom Hits Milestone on 90-Day Security Plan, Releases Zoom 5.0

Lee Neely
Lee Neely

2020-04-22

FBI and Domain Name Registries Take Down Malicious COVID-19 Websites

The FBI, working in cooperation with domain registries and other technology companies, has removed hundreds of malicious websites with names related to COVID-19. Some of the websites pretended to be legitimate sites seeking donations; others pretended to be US government websites and sought to collect personal information. The FBI's Internet Crime Complaint Center has received more than 3,600 complaints related to COVID-19 scams.

Editor's Note

It is important that we accept the risk of more false positive blocking of URLs than in more normal times. Bad guys have their greatest successes taking advantage of people (users, admins, CFOs, CEO, directors of boards, etc.) when the targets are distracted and can be made to feel a sense of urgency. Let's all hope we never see this high level of distraction and uncertainty again in our lifetimes, but while we are stuck in it is the time to err on the side of caution and having to deal with "Hey, your stupid security system kept me away from this perfectly safe website" complaints.

John Pescatore
John Pescatore

2020-04-23

NSA and Australian Signals Directorate Issue Joint Advisory on Web Shell Malware

A joint security advisory from the US National Security Agency (NSA)and Australian Signals Directorate (ASD) urging organizations to take steps to detect and prevent web shell malware. Suggested detection techniques include "Known-Good" Comparison, Web Traffic Anomaly Detection, and Signature-Based detection. Suggested prevention techniques include Web Application Permissions, File Integrity Monitoring, and Network Segregation. The advisory also includes a list of commonly exploited web application vulnerabilities.

The Rest of the Week's News


2020-04-23

New GNU Compiler Collection (GCC) 10 Feature Detected OpenSSL Flaw

A high-severity flaw in OpenSSL could be exploited to crash servers and applications running vulnerable OpenSSL builds. The flaw was detected by GCC 10's new static analysis feature.

Editor's Note

t is exciting to see features like this incorporated in a popular compiler like GCC. I hope that this feature will find many more vulnerabilities. The fact that it found the problem in OpenSSL, a project that has already seen quite a few reviews in recent years, shows how valuable it is.

Johannes Ullrich
Johannes Ullrich

2020-04-22

Apple Will Fix Flaws in iOS Mail

A pair of vulnerabilities in Apple's mail app on iOS devices have been actively exploited since 2018. The ZecOps researchers who found the vulnerabilities say that they have been present since iOS 6, which was released in 2012. ZecOps says the vulnerabilities have been exploited to spy on employees of a North American Fortune 500 company, a European journalist, managed security service providers in the Middle East, and others. Apple has patched the flaws in the iOS 13.4.5 beta release. (Please note that the WSJ story is behind a paywall.)

Editor's Note

There is no great work-around for users right now. You may be able to filter some attacks on the mail server using the IOCs provided, but it is hard to tell how good these IOCs are. If you are using a cloud-based mail service, there is usually little you can unless the provider already implemented these filters. I feel that ZecOps was too fast in releasing that much detail. But they are right in their assessment that while the flaw does allow arbitrary code execution, due to additional safeguards iOS put in place, a compromise of the phone would require additional kernel exploits.

Johannes Ullrich
Johannes Ullrich

iOS 13.4.5 public beta is available for testing on devices enrolled in Apple's beta software program. Enroll from your device at https://beta.apple.com. While Apple holds release dates close, they have been working towards publishing updates on patch Tuesday.

Lee Neely
Lee Neely

2020-04-23

US Small Business Administration Data Breach

The US Small Business Administration (SBA) has disclosed a suspected data breach that may have exposed information entered into an emergency loan application portal. Potentially compromised data include names, Social Security numbers, addresses, dates of birth, and insurance information. Of nearly 8,000 applicants to the SBA's Economic Injury Disaster Loans (EIDL) program. The possible breach was detected in late March.

Editor's Note

The flaw allowed access to other businesses' data while in the application portal and was only exploitable through the EIDL portal. The flaw was fixed March 25th. Businesses affected were notified and offered a year of free credit monitoring.

Lee Neely
Lee Neely

2020-04-22

Hacked Ad Servers

Researchers at Confiant have detected a malvertising scheme that has been ongoing since at least August 2019. Hackers have been breaking into ad networks running older versions of the Revive ad server. They then add malicious code to existing ads so that the ads will redirect users to malicious sites. The hackers have compromised about 60 ad servers.


2020-04-22

Microsoft Releases Unscheduled Fixes for Autodesk FBX Library

Microsoft has released fixes to address vulnerabilities in the Autodesk FBX library outside of its regular patch schedule. The Autodesk FBX library is integrated in Microsoft office, Office 365 ProPlus, and Paint 3D. The vulnerabilities, which are rated "important," could be exploited to allow remote code execution.

Editor's Note

As always, if Microsoft deem a vulnerability important enough to release a patch out of cycle, then you should deem it important enough to apply that patch.

Brian Honan
Brian Honan

2020-04-21

IBM Data Risk Manager Zero-days

After initially rejecting reports of four vulnerabilities in IBM Data Risk Manager (IDRM), IBM has acknowledged that "a process error resulted in an improper response to the researcher who reported this situation to IBM." The person who discovered the flaws disclosed them on April 21, after IBM would not accept their disclosure through the company's vulnerability disclosure program. The vulnerabilities could be exploited to allow unauthenticated remote code execution.

Editor's Note

When running a vulnerability disclosure program, treating the reported issues as legitimate and respecting those reporting is key to not undermining the program credibility as well as preventing undesired disclosure of flaws, irrespective of the exploitability of those flaws.

Lee Neely
Lee Neely

2020-04-23

Phishing Campaign Targets Skype Credentials

Phishers are sending phony emails to Skype users in the hopes of harvesting their account credentials. The email messages tell users that they have pending Skype notifications and provide a link to what looks like a Skype login page.

Editor's Note

Enable multi-factor authentication on your Microsoft accounts. All Microsoft/Skype account types allow addition of MS Authenticator, SMS or Email second factor validation.

Lee Neely
Lee Neely

2020-04-22

DoppelPaymer Ransomware Group Posts Files Stolen From Torrance, California Systems

Computers belonging to the City of Torrance, California, were infected with DoppelPaymer ransomware earlier this year. At the time, the Los Angeles-area city said that no public personal information had been compromised. The attackers have begun leaking files they say were stolen from the city's computers and are demanding a payment of 100 bitcoin (roughly $750,000 as of Thursday evening) to take down the data.


2020-04-23

Private Equity Firms Fall Prey to Business Email Compromise

Criminals fooled three separate private equity firms in the UK into wiring funds to accounts the companies believed belonged to startups they intended to invest in, but which were actually controlled by the criminals. In all, the companies wired $1.3 million to the fraudsters' accounts; roughly $600,000 has been recovered.

Editor's Note

The hackers have been refining their techniques to be harder to detect. This attack used a combination of look-alike domains and email account takeovers, including adding filters to divert messages to a different folder to facilitate MITM activities. High level executives are targeted to add legitimacy to the fake messages generated. Aside from training on spotting spear phishing and using strong authentication on all email accounts, out of band validation of financial account information prior to setup or change remains a key mitigation.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

SpectX: Log Parser for DFIR

https://isc.sans.edu/forums/diary/SpectX+Log+Parser+for+DFIR/26040/


Microsoft Patches Autodesk Library in Office

https://www.autodesk.com/trust/security-advisories/adsk-sa-2020-0002

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200004


Stripe Data Collection

https://mtlynch.io/stripe-recording-its-customers/


IBM Data Risk Manager Vulnerabilities

https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md


iOS Mail 0Day

https://blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/


Zoom 5 To Be Released Shortly Addressing Encryption Issues

https://blog.zoom.us/wordpress/2020/04/22/zoom-hits-milestone-on-90-day-security-plan-releases-zoom-5-0/


OpenSSL Fixes DOS Flaw

https://www.openssl.org/news/secadv/20200421.txt


GCC's New Security Analyzer Finds Flaw in OpenSSL

https://developers.redhat.com/blog/2020/03/26/static-analysis-in-gcc-10/


IBM Spectrum Protect Server Stack Based Buffer Overflow

https://www.ibm.com/support/pages/node/6195706


Possible Issues With Cumulative Windows Updates

https://www.reddit.com/search/?q=KB4549951


Using a GPU as a Radio

https://duo.com/labs/research/finding-radio-sidechannels


Comparing Red Team Platforms

https://redcanary.com/blog/comparing-red-team-platforms/